WebApp Sec mailing list archives
Re: Any special tool for testing a web chat application?
From: Barry Archer <archerba () gmail com>
Date: Thu, 5 Feb 2009 21:09:59 -0600
Rogan, Yes, exactly - I do want to be able to intercept the AJAXy traffic. Thanks for the BeanShell suggestion and ScriptManager info. That's looking like it will do what I want nicely. BTW, I've been asked to test a vendor supplied web-based chat application. I can tune our web application scanning tool to skip most of the general tests, but it still seems like a hammer when I also needed a pair of pliers... Thanks! Barry On Thu, Feb 5, 2009 at 6:24 AM, Rogan Dawes <lists () dawes za net> wrote:
Irene Abezgauz wrote:Barry - are there specific problems you are encountering? If you provide more information it may be easier to help. Other than that I agree with Rogan, the proxy intercepting a lot of spam is usually the biggest annoyance in applications that are alive and constantly updating. Paros also has a configurable intercept filter which you can easily use to solve that one. IreneThe big thing about the scripting is that it sounds like Barry WANTS to be able to intercept the AJAXy traffic, in order to test how the chat server behaves. BUT, you probably won't have time to manually perform your changes before the browser hits a timeout and tries to send it again, racking up a queue of intercepts, and defeating everything that you are trying to do. Using the scripting facility allows you to automate the changes that you want to make, so that they happen "instantly", rather than taking however long you take to manually make your changes. Granted, writing the scripts to make your desired changes is not going to be as quick as making a single manual change, but it makes reviewing AJAXy apps a lot more feasible. By the way, if you use the ScriptManager interface in WebScarab, you get access to the BSF object store via bsf.lookupBean(), which you can use to maintain state in your scripts. e.g. if you only want to make a specific change once, to the next request that goes through, and none after that. See <http://www.owasp.org/index.php/Scripting_in_WebScarab> and <http://marc.info/?l=owasp-webscarab&m=114562647419874&w=2> Rogan
------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- Any special tool for testing a web chat application? Barry Archer (Feb 05)
- Re: Any special tool for testing a web chat application? Rogan Dawes (Feb 05)
- Message not available
- Re: Any special tool for testing a web chat application? Irene Abezgauz (Feb 05)
- Re: Any special tool for testing a web chat application? Rogan Dawes (Feb 05)
- Re: Any special tool for testing a web chat application? Barry Archer (Feb 05)
- Re: Any special tool for testing a web chat application? Steve Pinkham (Feb 06)
- Message not available
- Re: Any special tool for testing a web chat application? Rogan Dawes (Feb 05)
- <Possible follow-ups>
- Re: Any special tool for testing a web chat application? K (Feb 05)